b'Office\xc2\xa0of Inspector General\n\n\n\n   Evaluation of the FMC\xe2\x80\x99s Compliance\n      with the Federal Information\n    Security Management Act FY 2012\n\n                A13-03\n\n\n\n\n           December 2012\n\n\n\nFEDERAL MARITIME COMMISSION\n\x0c                               \xc2\xa0\xc2\xa0\xc2\xa0\xc2\xa0FEDERAL\xc2\xa0MARITIME\xc2\xa0COMMISSION\n  \xc2\xa0                                     Washington,\xc2\xa0DC\xc2\xa0\xc2\xa020573\xc2\xa0\n\n\n\n                                       December 21, 2012\n\nOffice\xc2\xa0of\xc2\xa0Inspector\xc2\xa0General\xc2\xa0\n\n\n\n\nDear Chairman Lidinsky and Commissioners:\n\nThe Office of Inspector General (OIG) submits its report on the status of information security at\nthe Federal Maritime Commission (FMC) for FY 2012. The OIG relied on the expertise of\ninformation security evaluators from Your Internal Controls LLC, for assistance on this\nmandated review.\n\nThe objectives of the independent evaluation of the FMC\xe2\x80\x99s information security program were to\nevaluate its security posture by assessing compliance with the Federal Information Security\nManagement Act (FISMA) and related information security policies, procedures, standards, and\nguidelines. The scope of this task included the FMC Network, and applications housing service\ncontracts (SERVCON) tariff location filings (Form-1) and FMC license applications (Form-18).\nThe OIG also performed a network scan to identify potential system vulnerabilities and assessed\nmanagement actions to implement prior-year recommendations.\n\nThe FY 2012 report contains two new subject matter findings and two recommendations for\ncorrective action. Scan results were provided to Office of Information Technology (OIT)\nnetwork staff as soon as results were know to enable them to make needed adjustments. I am\nglad to report that no serious vulnerabilities were found.\n\nThe OIG thanks FMC staff, especially the OIT, for its assistance in helping us to meet our report\nobjectives.\n\nRespectfully Submitted,\n\n\n\n\n/Adam R. Trzeciak/\nInspector General\n\x0c                                                      TABLE OF CONTENTS\n\n\nPURPOSE ....................................................................................................................................... 1\xc2\xa0\n\nBACKGROUND ............................................................................................................................ 1\xc2\xa0\n\nSCOPE AND METHODOLOGY .................................................................................................. 1\xc2\xa0\n\nCURRENT YEAR FINDINGS ...................................................................................................... 2\xc2\xa0\n\nMANAGEMENT RESPONSES AND PRIOR YEAR FOLLOW UP .......................................... 2\xc2\xa0\n\nSYS-01 VULNERABILITY ASSESSMENT RESULTS .............................................................. 3\xc2\xa0\n\nPRIOR YEAR RECOMMENDATIONS ....................................................................................... 5\xc2\xa0\n\x0c                                              PURPOSE\n\nYour Internal Controls (contractor), on behalf of the Federal Maritime Commission (FMC),\nOffice of Inspector General (OIG), conducted an independent evaluation of the quality and\ncompliance of the FMC\xe2\x80\x99s information security program with applicable federal computer\nsecurity laws and regulations. Your Internal Controls\xe2\x80\x99 evaluation focused on FMC\xe2\x80\x99s information\nsecurity program as required by the Federal Information Security Management Act (FISMA).\nThis report was prepared by the contractor with guidance by the Office of Inspector General.\n\n                                          BACKGROUND\n\nOn December 17, 2002, the President signed into law H.R. 2458, the E-Government Act of\n2002(Public Law 107-347). Title III of the E-Government Act of 2002, commonly referred to as\nFISMA, focuses on improving oversight of federal information security programs and facilitating\nprogress in correcting agency information security weaknesses. FISMA requires federal agencies\nto develop, document and implement an agency-wide information security program that provides\nsecurity for the information and information systems that support the operations and assets of the\nagency. This program includes providing security for information systems provided or managed\nby another agency, contractor or other source. FISMA assigns specific responsibilities to agency\nheads and Inspectors General (IGs). It is supported by security policy promulgated through the\nOffice of Management and Budget (OMB), and risk-based standards and guidelines published in\nthe National Institute of Standards and Technology (NIST), Special Publication (SP) series.\n\nUnder FISMA, agency heads are responsible for providing information security protections\ncommensurate with the risk and magnitude of harm resulting from the unauthorized access, use,\ndisclosure, disruption, modification or destruction of information and information systems.\nFISMA requires agencies to have an annual independent evaluation performed on their\ninformation security programs and practices and to report the evaluation results to OMB. FISMA\nstates that the independent evaluation is to be performed by the agency IG or an independent\nexternal auditor as determined by the IG. Implementing adequate information security controls is\nessential to ensuring an organization can effectively meet its mission.\n\n                                 SCOPE AND METHODOLOGY\n\nThe scope of our testing focused on the FMC General Support Systems (GSS) and Major\nApplications (MA). We conducted our testing through inquiry of FMC personnel, observation of\nactivities, inspection of relevant documentation, and the performance of technical security\ntesting. More specifically, our testing covered a sample of controls as listed in National Institute\nof Standards and Technology (NIST) 800-53, Recommended Security Controls for Federal\nInformation Systems and Organizations, Revision 3. For example, testing covered system\nsecurity plans, access controls, risk assessments, configuration management, contingency\nplanning, security awareness and auditing. Our scope also included a Vulnerability Assessment\nfor the overall network and workstations that connect to the network.\n\n\n\n\n                                                 1\n\x0c                                  CURRENT YEAR FINDINGS\n\nDuring our FY 2012 evaluation, we noted that FMC has taken steps to improve the information\nsecurity program and to remediate some prior year deficiencies. For example, the FMC has\nincreased the size of audit logs and modified the audit log setting to automatically move them to\nanother storage medium in the event that the audit logs become full. Security awareness training\nhas been rolled out satisfactorily and this prior year deficiency is now closed. The FMC also re-\ncategorized one system to comply with Federal Information Processing Standards (FIPS) 199,\nStandards for Security Categorization of Federal Information and Information Systems. Lastly,\nthe agency has finalized Memorandums of Understanding (MOU) between the FMC and external\nagencies that communicate with FMC systems to ensure that security between them is meeting or\nexceeding FMC security requirements.\n\nThe OIG also found areas where improvement is possible. We identified two deficiencies which\nwe identified in a network scan that pertain to weak server configuration settings and services\nrunning on the network that are not secure.\n\nBased on this review, the OIG closed seven (7) recommendations and clarified to management\nwhat actions it needs to take to close remaining recommendations. The status of all open\nrecommendations as of the close of fieldwork is identified in Appendix I.\n\n              MANAGEMENT RESPONSES AND PRIOR YEAR FOLLOW UP\n\nWe have included management\xe2\x80\x99s response to the OIG recommendation(s) at the end of the\nreport.   The contractor also reviewed the implementation status of 21 prior year(s)\nunimplemented recommendations. Management has taken steps to close seven (7) of the 21\nrecommendations, which the OIG verified as completed. The OIG was unable to close the\nremaining 14 recommendations, due to management\xe2\x80\x99s assertion that correct action had not yet\noccurred.\n\n\n\n\n                                               2\n\x0c                SYS-01 VULNERABILITY ASSESSMENT RESULTS\n\nCondition:\n\nThe contractor performed a Vulnerability Assessment utilizing Nessus, a commercial software\ntool. This software deployed recent plug-ins, which allowed for the scan to identify the latest\nvulnerabilities on both the network (servers, routers, firewalls, etc.) and a sample of desktops\nconnected to the network. The last vulnerability scan was conducted in 2009. The results of this\nscan were as follows:\n\n   1. The servers and workstations were not configured with the latest security patches.\n   2. The network and servers were not configured securely. There were agents and outdated\n      services running that can be exploited.\n\nCriteria:\n\n   1. NIST 800-40 Procedures for Handling Security Patches, section 2.1 states \xe2\x80\x9cWe\n      recommend creating a "Patch and Vulnerability Group" (PVG). The size of the PVG will\n      vary depending on the size and complexity of the organization. The PVG may consist of\n      full-or part-time personnel. The personnel involved should have broad knowledge of\n      patches, systems administration, and computer vulnerabilities. In addition, it is helpful to\n      have specialists in particular operating systems, applications, and servers. Personnel who\n      already provide system or network administration functions, perform vulnerability\n      scanning or who operate intrusion detection systems are likely candidates for this group.\n      The duties of the PVG will be to support local administrators in finding and fixing\n      vulnerabilities in the organization\xe2\x80\x99s software. The PVG will generally not patch\n      vulnerabilities themselves; rather they will work with a local administrator to apply and\n      test patches. Generally speaking, the main function of the PVG groups should be to\n      ensure consistency across an organization.\xe2\x80\x9d\n\n   2. NIST 800-123 Guide to General Server Security, section 3.3 states \xe2\x80\x9cOrganizations\n      should develop standardized secure configurations for widely used Operating Systems\n      (OS) and server software. This will provide recommendations to server and network\n      administrators on how to configure their systems securely and ensure consistency and\n      compliance with the organizational security policy. Because it only takes one insecurely\n      configured host to compromise a network, organizations with a significant number of\n      hosts are especially encouraged to apply this recommendation.\xe2\x80\x9d Section 4.1 states \xe2\x80\x9cOnce\n      an OS is installed, applying needed patches or upgrades to correct for known\n      vulnerabilities is essential. Any known vulnerabilities an OS has should be corrected\n      before using it to host a server or otherwise exposing it to untrusted users. To adequately\n      detect and correct these vulnerabilities, server administrators should do the following:\n\n\n\n\n                                               3\n\x0c          o Create, document, and implement a patching process.\n          o Identify vulnerabilities and applicable patches.\n          o Mitigate vulnerabilities temporarily if needed and if feasible (until patches are\n            available, tested, and installed).\n          o Install permanent fixes (patches, upgrades, etc.)\n\n   3. NIST 800-123 Guide to General Server Security, section 4.2.2 states \xe2\x80\x9cThe default\n      configuration of the OS often includes guest accounts (with and without passwords),\n      administrator or root level accounts, and accounts associated with local and network\n      services. The names and passwords for those accounts are well known. Remove\n      (whenever possible) or disable unnecessary accounts to eliminate their use by attackers,\n      including guest accounts on computers containing sensitive information. For default\n      accounts that need to be retained, including guest accounts, severely restrict access to the\n      accounts, including changing the names (where possible and particularly for\n      administrator or root level accounts) and passwords to be consistent with the\n      organizational password policy. Default account names and passwords are commonly\n      known in the attacker community.\xe2\x80\x9d\n\n   4. NIST 800-123 Guide to General Server Security, section 4.2.2 states \xe2\x80\x9cEnabling\n      authentication by the host computer involves configuring parts of the OS, firmware, and\n      applications on the server, such as the software that implements a network service. In\n      special situations, such as high-value/high-risk servers, organizations may also use\n      authentication hardware, such as tokens or one-time password devices. Use of\n      authentication mechanisms where authentication information is reusable (e.g., passwords)\n      and transmitted in the clear over an untrusted network is strongly discouraged because\n      the information can be intercepted and used by an attacker to masquerade as an\n      authorized user.\xe2\x80\x9d\n\nCause:\n\nThe FMC network has undergone recent upgrades and there were time constraints placed on\nlimited personnel to identify the latest patches and other vulnerability weaknesses.\n\nRisk:\n\n   1. Without updated patches on systems, there is the potential for remote code execution\n      through exploitation of buffer overflows, and other vulnerabilities. Patches are deployed\n      to close those areas subject to exploitation. Without the latest patches being deployed,\n      identified vulnerabilities may be exploited through known attack venues.\n\n   2. Hosts (and web servers) running outdated versions may result in a denial of service or\n      other exploitative attacks on the network. Servers and other technologies are built with\n      standard default user IDs and passwords so that administrators can configure them.\n      Attackers know the default user IDs and passwords; as this is common knowledge. It is\n\n                                               4\n\x0c       therefore, crucial that those default IDs and passwords be changed to prevent exploitation\n       of weak authentication credentials.\n\nRecommendation(s):\n\n   1. Identify which patches are missing and assess which of those can be deployed without\n      harming the network. Once complete, deploy the patches to ensure the network is\n      protected.\n\n   2. Disable all services running on the hosts that are not being used. If the services are being\n      used, then deploy the latest versions, which will provide the latest security protection.\n      Also, if FTP is to be deployed on servers, ensure that anonymous access is prohibited and\n      secure transmission is required.\n\n                             PRIOR YEAR RECOMMENDATIONS\n\nThe following table details all prior year deficiencies identified during our FISMA evaluation.\nThere are a total of 21 deficiencies identified in the table. Of those 21 deficiencies, seven (7)\nhave been closed in the current audit period. While all of the deficiencies listed below are\nimportant, some are clearly a priority and should take precedence with regard to remediation.\nWe\xe2\x80\x99ve determined that deficiency Nos. 3, 6, 13, and 14 are the most critical and should be\nremediated as soon as possible.\n\nDeficiency # 3 addresses the review of audit logs. Without reviewing the logs, there may be\nnegative actions taken against the agency without awareness on the part of OIT. The audit logs\nmust be reviewed timely and corrective actions (e.g. investigating failed logon attempts) must be\ntaken as a result of those reviews.\n\nDeficiency # 6 addresses the Contingency Plan. Without a final and signed Contingency Plan,\nthe agency lacks basic assurances that the agency\xe2\x80\x99s critical functions could proceed during a\ncatastrophic event without loss or compromise of its data.\n\nDeficiency # 13 addresses password complexity. The current password requirements are not\nappropriate and they should adhere to complexity requirements.\n\nDeficiency # 14 identifies C&A package shortcomings for the network and the SERVCON\napplication. C&A packages document the various security controls, as identified from a security\ncategorization (FIPS-199). The controls are then tested, and evaluated to ascertain if there are\nany risks that would preclude the system from being placed in a live environment. Without\nfinalized C&A packages, data may not be adequately protected with commensurate security\ncontrols.\n\n\n\n\n                                               5\n\x0c#                        POA&M                                      Report           Open / Closed\n    Evaluate FMC mobile needs and implement FIPS\n    140-2 encryption on mobile computers and portable\n    devices carrying agency data.\n1                                                             Report A2010-02 (#3)      Open\n    (OIG estimates the required level of effort for this\n    recommendation to be 20 hours).\n    From the report generated via the Numara software\n    product, identify which patches and service packs can\n    be deployed without harming the network. Further,\n                                                                                     Closed during\n    upon completion, review the configuration settings of\n                                                                                     the FY 2012\n2   the servers to ensure security settings have not          Report A2012-02 (#1)\n                                                                                        FISMA\n    changed.\n                                                                                      engagement\n    (OIG estimates the required level of effort for this\n    recommendation to be 40 hours).\n    Ensure that audit logs are reviewed monthly and\n    necessary actions are taken to respond to those audit\n    events generated as a result of adverse actions.\n3                                                             Report A2012-02 (#2)      Open\n    (OIG estimates the required level of effort for this\n    recommendation to be 5 hours per month).\n    Set the audit logs to a size that can sustain the logs\n    being generated. Also, as the logs fill up, they should\n4                                                             Report A2012-02 (#3)      Closed\n    be moved to another storage medium so that current\n    logs are maintained.\n    Ensure only IT personnel and others with a job-\n    related need have access to the Data Center by\n5                                                             Report A2012-02 (#4)      Open\n    reviewing non-OIT personnel access badges and\n    disabling as appropriate\n    Ensure that the Contingency Plan has been reviewed\n    and signed off as final. Also, ensure that OIT\n    performs a contingency test, training, and exercise in\n6   accordance with NIST 800-34.                              Report A2012-02 (#5)      Open\n\n    (The estimated level of effort for this recommendation\n    is 40 hours).\n    Ensure that IT personnel are properly trained with\n    regard to incident response prevention, detection, and\n7                                                             Report A2012-02 (#6)      Open\n    correction.\n\n\n                                                      6\n\x0c#                           POA&M                                      Report           Open / Closed\n     (The estimated level of effort for this recommendation\n     is 40 hours per year for each OIT employee with\n     incident response responsibilities).\n     The FMC should implement formal incident response\n     procedures so that in the event of an incident, the\n                                                                                        Closed during\n     appropriate responses could be taken to minimize any\n                                                                                        the FY 2012\n8    adverse impact to the agency.                              Report A2012-02 (#7)\n                                                                                           FISMA\n                                                                                         engagement\n     (OIG estimates the required level of effort for this\n     recommendation to be 20 hours).\n     Implement HSPD-12 in accordance with laws and\n     regulations.\n9                                                               Report A2012-02 (#8)       Open\n     (OIG estimates the required level of effort for this\n     recommendation to be 40 hours).\n     A system inventory should be maintained and from\n     this listing, the following should be performed:\n\n     \xe2\x80\xa2   identify which of those systems have PII and IIF.\n     \xe2\x80\xa2   identify which of those systems need a PIA.\n     \xe2\x80\xa2   identify which of those PIAs need to be posted on\n10                                                              Report A2012-02 (#9)       Open\n         the FMC website.\n     \xe2\x80\xa2   identify information that needs to be redacted\n         prior to posting of the PIA on the FMC website.\n\n     (OIG estimates the required level of effort for this\n     recommendation to be 20 hours).\n     Ensure that IT incorporates the agency\'s checkout\n     process for terminated employees into its access\n     procedures and updates access permissions for those\n     employees who are promoted or move (i.e., change\n     assignments) within the agency. This will ensure that\n     IT changes the user access settings appropriately. IT\n11                                                              Report A2012-02 (#10)      Open\n     should also review access rights on a quarterly basis\n     and with other Commission bureaus and offices to\n     identify and assess non-FMC personnel access needs\n     for other users such as those users that are external to\n     the agency.\n\n\n\n                                                        7\n\x0c#                           POA&M                                   Report           Open / Closed\n     (OIG estimates the required level of effort for this\n     recommendation to be 10 hours).\n     Ensure that all agency personnel take Security                                  Closed during\n     Awareness Training every year in accordance with                                the FY 2012\n12                                                           Report A2012-02 (#11)\n     NIST 800-50 and comply with IT Security for                                        FISMA\n     Personnel MD 2011-4.                                                             engagement\n     Ensure that password complexity is set to "enable"\n     and applies to all personnel within the FMC agency.\n13                                                           Report A2012-02 (#12)      Open\n     (OIG estimates the level of effort for this\n     recommendation at 4 hours).\n     The Network GSS C&A and the SERVCON C&A\n     should be signed and finalized.\n14                                                           Report A2012-02 (#13)      Open\n     (OIG estimates the level of effort for this\n     recommendation at 40 hours).\n     The Network GSS and SERVCON System Security\n                                                                                     Closed during\n     Plans (SSP) should be signed and finalized.\n                                                                                     the FY 2012\n15                                                           Report A2012-02 (#14)\n                                                                                        FISMA\n     (OIG estimates the level of effort for this\n                                                                                      engagement\n     recommendation at 4 hours).\n                                                                                     Closed during\n     The SERVCON FIPS-199 Security Categorization                                    the FY 2012\n16                                                           Report A2012-02 (#15)\n     should be a "Moderate" categorization.                                             FISMA\n                                                                                      engagement\n     All controls in the SSPs should be reviewed to ensure\n     their implementation status is correct.\n17                                                           Report A2012-02 (#16)      Open\n     (OIG estimates the level of effort for this\n     recommendation at 40 hours).\n     Any weaknesses as a result of STEs should be\n     corrected immediately.\n18                                                           Report A2012-02 (#17)      Open\n     (OIG estimates the level of effort for this\n     recommendation at 20 hours).\n     The FMCDB should be carved out into a separate\n     C&A package.\n19                                                           Report A2012-02 (#18)      Open\n     (OIG estimates the level of effort for this\n     recommendation at 40 hours).\n\n                                                     8\n\x0c#                         POA&M                               Report           Open / Closed\n     The SERVCON system should have an e-\n     Authentication assessment conducted.\n20                                                     Report A2012-02 (#19)      Open\n     (OIG estimates the level of effort for this\n     recommendation at 2 hours).\n                                                                               Closed during\n     Develop an MOU for all agencies where external                            the FY 2012\n21                                                     Report A2012-02 (#20)\n     personnel access the FMC data.                                               FISMA\n                                                                                engagement\n\n\n\n\n                                                   9\n\x0cUNITED STATES GOVERNMENT                                       FEDERAL MARITIME COMMISSION\n\nMemorandum\nTO            : Office of the Inspector General              DATE: December 7, 2012\n\n\n\nFROM          : Chief Information Officer\n\n\n\nTHROUGH: /Managing Director/\n\n\n\nSUBJECT : Evaluation of the FMC\xe2\x80\x99s Compliance with the Federal Information Security\n          Management Act (FISMA) FY 2012\n\n     This is in response to your recently provided FISMA audit draft report.\n\n     Recommendation 1. The OIG recommends that OIT identify which patches are missing\n     and assess which of those can be deployed without harming the network. Once complete,\n     deploy the patches to ensure the network is protected.\n\n     Response: OIT agrees with the findings of the Inspector general and will follow the\n     recommendations set forth in the FY 2012 Evaluation of the FMC\xe2\x80\x99s Compliance with the\n     Federal Information System Management Act (FISMA). This is a new finding resulting from\n     OIT not being able to use the Patch Manager software that has worked so well in the past. OIT\n     is currently in the process of identifying a new server patch deployment technology which will\n     be in place by the end of the second quarter of FY 2013.\n\n     Recommendation 2. The OIG recommends that OIT disable all services running on the\n     hosts that are not being used. If the services are being used, then deploy the latest\n     versions, which will provide the latest security protection. Also, if FTP is to be deployed\n     on servers, ensure that anonymous access is prohibited and secure transmission is\n     required.\n\n     Response: OIT is in the process of identifying all unnecessary services running on the FMC\n     servers and disabling them. Part of this process will be the installation of all of the FMC\n     servers into the Xacta IA Manager continuous monitoring suite that employs the following\n     standards USGCB/SCAP, FIPS 199, NIST 800-37 (Risk Management Framework), NIST 800-\n     53/53A (Security Controls for Federal IS), NIST 800-60 (Guide for Mapping Information\n     Systems to Security Categories) which will be completed by the end of the second quarter of\n     FY 2013.\n\n                                              /Anthony Haywood/\n\x0c'